IN THE
SUPREME COURT OF THE STATE OF ARIZONA
G REG SHEPHERD,
Plaintiff/Appellant,
v.
COSTCO WHOLESALE CORPORATION,
Defendant/Appellee.
No. CV-19-0144-PR
Filed March 8, 2021
Appeal from the Superior Court in Maricopa County
The Honorable Aimee L. Anderson, Judge (Ret.)
No. CV2017-052615
REVERSED IN PART; REMANDED
Opinion of the Court of Appeals, Division One
246 Ariz. 470 (App. 2019)
VACATED IN PART
COUNSEL:
Joshua W. Carden (argued), Joshua Carden Law Firm, P.C., Scottsdale,
Attorney for Greg Shepherd
Karen C. Stafford (argued), Cassandra V. Meyer, The Cavanagh Law Firm,
P.A., Phoenix, Attorneys for Costco Wholesale Corporation
GREG SHEPHERD V. COSTCO WHOLESALE CORPORATION
Opinion of the Court
JUSTICE MONTGOMERY authored the opinion of the Court, in which
CHIEF JUSTICE BRUTINEL, VICE CHIEF JUSTICE TIMMER and
JUSTICES BOLICK and LOPEZ joined. ∗
JUSTICE MONTGOMERY, opinion of the Court:
¶1 We are called upon in this case to determine what a plaintiff
must allege for a claim of negligent disclosure of medical information to
withstand a motion to dismiss based on the immunity provided by A.R.S.
§ 12-2296, and the extent to which the Health Insurance Portability and
Accountability Act (“HIPAA”) may be relied on for a claim of negligence.
¶2 Section 12-2296 affords healthcare providers immunity from
liability for damages if they acted in good faith when disclosing medical
information pursuant to applicable law. While acting in good faith is
presumed, the presumption may be rebutted by clear and convincing
evidence. We hold that a plaintiff does not have to allege bad faith or
rebut the good faith presumption in his complaint when asserting a claim
of negligent disclosure of medical information. We also hold that HIPAA
may inform the standard of care in a negligence claim.
I. Background
¶3 Greg Shepherd visited his physician for a check-up and a refill
of his usual prescription. 1 He also received a sample of an erectile
dysfunction (“E.D.”) medication. Thereafter, Shepherd went to Costco
Pharmacy (“Costco”) to pick up his regular prescription and was notified
that a full prescription of the E.D. medication was ready, too. Shepherd
said that he did not want the E.D. prescription and instructed the Costco
employee to cancel it. The employee acknowledged the request.
∗
Justice Andrew Gould and Justice James P. Beene have recused themselves
from this matter.
1 This case comes to us on appeal from a motion to dismiss pursuant to
Arizona Rule of Civil Procedure 12(b)(6), we therefore take as true the facts
set forth in Shepherd’s operative complaint. Cullen v. Auto-Owners Ins.
Co., 218 Ariz. 417, 419 ¶ 7 (2008).
2
GREG SHEPHERD V. COSTCO WHOLESALE CORPORATION
Opinion of the Court
¶4 Shepherd called Costco the next month to check on his regular
prescription refill. An employee told him that the regular and E.D.
prescriptions were ready. Shepherd again stated that he did not want the
E.D. prescription and, again, his request was acknowledged.
¶5 Shepherd called back the next day, asking if his ex-wife, with
whom he was exploring possible reconciliation, could pick up his regular
prescription. The employee stated she could and that it was ready. The
employee did not tell Shepherd, though, that the E.D. prescription was still
available for pick up, as well.
¶6 When Shepherd’s ex-wife went to Costco, the employee gave
her both prescriptions. However, she did not accept the E.D. prescription,
and the two joked about it. Upon returning to Shepherd, she told him she
knew about the E.D. medication and no longer wanted to be with him,
ending any reconciliation effort. She later told Shepherd’s children and
friends about the E.D. medication.
¶7 Shepherd complained to Costco headquarters about the
disclosure of the E.D. prescription and received a written response
acknowledging a violation of HIPAA and Costco’s privacy policy.
Shepherd then sued Costco, alleging negligence, breach of fiduciary duty,
fraud, negligent misrepresentation, intentional infliction of emotional
distress, intrusion upon seclusion, and public disclosure of private facts
based on Costco’s “public disclosure of an embarrassing medication that
[he] twice rejected.” Shepherd further alleged that had he known Costco
failed to cancel the E.D. prescription, he would not have sent his ex-wife to
pick up his regular prescription.
¶8 Costco moved to dismiss Shepherd’s complaint pursuant to
Arizona Rule of Civil Procedure 12(b)(6), asserting that § 12-2296 provided
immunity from all his claims and that the claims were also precluded by
HIPAA. The trial court granted the motion and dismissed the entire
complaint with prejudice, finding that Costco was entitled to immunity
from suit under § 12-2296, that the claims were preempted by HIPAA, and
that Shepherd failed to allege sufficient facts to support his claims.
¶9 The court of appeals affirmed the dismissal of all Shepherd’s
claims, except his claim for negligent disclosure of medical information.
Shepherd v. Costco Wholesale Corp., 246 Ariz. 470, 479 ¶ 38 (App. 2019). With
3
GREG SHEPHERD V. COSTCO WHOLESALE CORPORATION
Opinion of the Court
respect to this claim, the court referenced Shepherd’s allegations of trying
to cancel the prescription, Costco’s acknowledgment of at least one of the
requests, and the exchange between the Costco employee and Shepherd’s
ex-wife to conclude that Shepherd “may be able to prove some set of facts
showing Costco did not act in good faith.” Id. at 478 ¶ 31. The court also
held that HIPAA did not preclude his negligence claim for wrongful
disclosure of medical information and that HIPAA’s requirements may
inform the standard of care in a negligence action. Id. at ¶ 34.
¶10 We accepted review of Costco’s petition to consider the extent
to which the provisions of § 12-2296 provide immunity from a claim of
negligent disclosure of medical information and whether HIPAA can
inform the standard of care in a negligence claim, which are issues of first
impression and statewide importance. We have jurisdiction under article
6, section 5(3) of the Arizona Constitution.
II. Discussion
¶11 We review de novo the dismissal of a complaint pursuant to
Rule 12(b)(6), Conklin v. Medtronic, Inc., 245 Ariz. 501, 504 ¶ 7 (2018), as well
as issues of statutory interpretation, Nicaise v. Sundaram, 245 Ariz. 566, 567
¶ 6 (2019).
¶12 Costco argues that Shepherd’s negligence claim should be
dismissed as a matter of law given the qualified immunity provided by
§ 12-2296 and because HIPAA does not permit a private right of action.
We address each argument in turn.
A. Qualified Immunity
¶13 Costco’s main argument is that Shepherd’s complaint fails to
plead facts establishing bad faith by Costco. Therefore, he has failed to
rebut the good faith presumption in § 12-2296, leaving Costco immune from
his claim of negligence and requiring dismissal as a matter of law.
¶14 We note at the outset that a complaint need not set forth every
fact that may be associated with a claim. Anserv Ins. Servs., Inc. v. Albrecht,
192 Ariz. 48, 49 ¶ 5 (1998). Instead, “Arizona follows a notice pleading
standard, the purpose of which is to ‘give the opponent fair notice of the
nature and basis of the claim and indicate generally the type of litigation
4
GREG SHEPHERD V. COSTCO WHOLESALE CORPORATION
Opinion of the Court
involved.’” Cullen, 218 Ariz. at 419 ¶ 6 (2008) (quoting Mackey v. Spangler,
81 Ariz. 113, 115 (1956)); Ariz. R. Civ. P. 8(a)(2) (requiring a plaintiff to set
forth “a short and plain statement of the claim showing that the pleader is
entitled to relief”).
¶15 We next note that Costco raised the immunity afforded by
§ 12-2296 as an affirmative defense in a motion to dismiss. See Ariz. R. Civ.
P. 12(b)(6); Chamberlain v. Mathis, 151 Ariz. 551, 554 (1986) (noting that
immunity is an affirmative defense which can be raised in a motion to
dismiss). But because “[a] complaint need not anticipate an affirmative
defense,” Shepherd was not required to specifically address § 12-2296 in his
complaint. Keck v. Kelly, 16 Ariz. App. 163, 166 (1972) (citing Bohmfalk v.
Vaughn, 89 Ariz. 33, 39–40 (1960)); see also Foremost-McKesson Corp. v. Allied
Chem. Co., 140 Ariz. 108, 112 (App. 1983) (“A plaintiff in a negligence action
cannot be required to affirmatively plead and prove the negative of an
affirmative defense, e.g., that it was not contributorily negligent.” (citing
Merit Ins. Co. v. Colao, 603 F.2d 654, 659 (7th Cir. 1979))). Therefore, given
the minimal requirements of Arizona’s notice pleading standard and the
lack of any requirement to address an affirmative defense, it is clear that
Shepherd’s complaint was not deficient due to a failure to allege bad faith
on the part of Costco or to rebut the good faith presumption of § 12-2296.
It was therefore error for the trial court to grant the motion to dismiss on
this basis.
¶16 Our conclusion does not mean that the qualified immunity
under § 12-2296 may never be successfully raised in a motion to dismiss.
To raise an affirmative defense in a motion to dismiss, though, the facts to
establish the defense must appear in the complaint. Chamberlain, 151 Ariz.
at 554 (confirming that “[d]efendant properly raised the immunity defense
in his motion to dismiss because its factual framework was established in
plaintiffs’ complaint”); Sierra Madre Dev., Inc. v. Via Entrada Townhouses
Ass’n, 20 Ariz. App. 550, 552 (1973) (“Affirmative defenses, such as
privilege, may be raised and determined on a motion to dismiss where the
facts constituting the defense appear . . . on the face of the complaint or
counterclaim.” (citations omitted)). Yet, rather than establishing the
affirmative defense under § 12-2296, Shepherd’s complaint contains
allegations from which he “may be able to prove some set of facts showing
Costco did not act in good faith.” Shepherd, 246 Ariz. at 478 ¶ 31.
Shepherd’s pleadings thus establish that dismissal of his claim was error.
5
GREG SHEPHERD V. COSTCO WHOLESALE CORPORATION
Opinion of the Court
¶17 Finally, we observe that some amount of discovery may need
to occur in most cases to permit a plaintiff to develop clear and convincing
evidence to rebut the good faith presumption as the statute explicitly
permits. Regardless, we express no opinion as to the actual merits of
Shepherd’s claim or whether Costco may successfully reassert the
immunity afforded by § 12-2296 in a motion for summary judgment
following remand.
B. Good Faith
¶18 Because what constitutes good faith pursuant to § 12-2296 will
arise on remand and the parties have briefed the issue, we proceed to define
the term. Big D Const. Corp. v. Court of Appeals, 163 Ariz. 560, 563 (1990)
(noting that “reluctance to consider a moot or abstract question is solely a
matter of prudential or judicial restraint”).
¶19 Section 12-2296 states:
A health care provider . . . that acts in good faith under this
article is not liable for damages in any civil action for the
disclosure of . . . information contained in medical records . . .
that is made pursuant to this article or as otherwise provided
by law. The health care provider . . . is presumed to have
acted in good faith. The presumption may be rebutted by
clear and convincing evidence.
While several terms within § 12-2296 are defined elsewhere in article 7.1, 2
good faith is not.
¶20 Our goal in statutory interpretation is to effectuate the
legislature’s intent. State ex rel. DES v. Pandola, 243 Ariz. 418, 419 ¶ 6
(2018). “The best indicator of that intent is the statute’s plain
language. . . .” SolarCity Corp. v. Ariz. Dep’t of Revenue, 243 Ariz. 477, 480 ¶
8 (2018). In construing a specific provision, we may also consider similar
statutes for guidance, Stambaugh v. Killian, 242 Ariz. 508, 509 ¶ 7 (2017), and
2 “Healthcare provider” is defined by A.R.S. § 12-2291(5), what constitutes
“medical information” is defined by A.R.S. § 12-2291(6), and what “is made
pursuant to this article or as otherwise provided by law” is set forth in
A.R.S. §§ 12-2292 and -2294 and codified in HIPAA’s privacy standards at
45 C.F.R. § 164.510.
6
GREG SHEPHERD V. COSTCO WHOLESALE CORPORATION
Opinion of the Court
we may consider dictionary definitions where a statute does not define a
term, DBT Yuma, L.L.C. v. Yuma Cnty. Airport Auth., 238 Ariz. 394, 396 ¶ 9
(2015).
¶21 The parties and courts below differ on the source for and
substance of a definition of good faith. The court of appeals used
dictionary definitions as well as our definition of good faith from Stewart v.
Thornton, 116 Ariz. 107, 110 (1977): “honesty in fact in the conduct or
transaction concerned.” Shepherd, 246 Ariz. at 477–78 ¶ 30. Stewart
involved the determination of the rights of a holder of a promissory note in
the context of an interstate real estate transaction. Stewart, 116 Ariz. at 108.
Given the context of the transaction and the issues under review, we used
the Uniform Commercial Code (“UCC”) to define the operative terms,
including good faith. Id. at 109–10 (citing UCC § 1-210(19), now § 1-
210(20), codified at A.R.S. § 47-1201(20)).
¶22 Shepherd argues that a definition of good faith should have
subjective and objective components similar to the UCC definition of good
faith at A.R.S. § 47-8102(A)(10), which “for purposes of the obligation of
good faith in the performance or enforcement of contracts or duties within
this chapter, means honesty in fact and the observance of reasonable
commercial standards of fair dealing.” Citing to Concord Servicing Corp. v.
JPMorgan Chase Bank, N.A., to underscore his point, he insists that a
definition limiting good faith to “honesty in fact” is insufficient to provide
protection for medical records privacy because that would only require “a
pure heart and an empty head.” No. CV-12-00438-PHX-JAT, 2014 WL
2865557, at *6 (D. Ariz. June 24, 2014) (considering whether bank acted in
good faith in paying fraudulently endorsed checks where it had no
knowledge of the fraud (quoting First Interstate Bank of Or., N.A. v.
Wilkerson, 876 P.2d 326, 330 (Or. App. 1994))). He thus urges us to adopt a
definition of good faith that includes a requirement that a healthcare
provider act in a commercially reasonable manner.
¶23 Costco, on the other hand, cites Ramirez v. Health Partners of S.
Ariz., 193 Ariz. 325 (App. 1998), to define good faith. Ramirez considered
whether a hospital was entitled to qualified immunity under what is now
A.R.S. § 36-856(A), which is part of the Revised Uniform Anatomical Gift
Act (“UAGA”). Id. at 326 ¶ 1. Like this case, Ramirez addressed qualified
immunity with a statutory presumption of good faith where the term was
not defined. Id. at 329–30 ¶ 15. Ramirez, quoting Nicoletta v. Rochester Eye
7
GREG SHEPHERD V. COSTCO WHOLESALE CORPORATION
Opinion of the Court
& Human Parts Bank, Inc., 519 N.Y.S.2d 928, 930 (N.Y. Sup. Ct. 1987) (Good
faith, Black’s Law Dictionary 623 (5th ed. 1979)), observed that courts had
consistently defined good faith under the UAGA as an “honest belief, the
absence of malice and the absence of a design to defraud or to seek an
unconscionable advantage.” Ramirez, 193 Ariz. at 330 ¶ 15 (internal
quotation marks omitted); see also Bond v. Messerman, 873 A.2d 417, 432 (Md.
Ct. Spec. App. 2005) (reviewing disclosure of medical records and utilizing
the same definition with reference to Black’s Law Dictionary).
¶24 Between the UCC definition of good faith and the definition
provided in Ramirez, we conclude that Ramirez’s definition is better suited
for determining qualified immunity under § 12-2296. The UCC definition,
as illustrated by its application in Stewart and Concord Servicing Corp., is
necessarily concerned with the commercial nature of a transaction.
Similarly, Shepherd’s proffered definition is specifically focused on “good
faith in the performance or enforcement of contracts or duties within this
chapter,” which addresses investment securities. A.R.S. § 47-8102(A)(10).
¶25 However, the disclosure of medical records addressed by
§ 12-2296 can occur outside of the context of a commercial transaction. For
example, § 12-2294(C) discusses disclosure to a healthcare provider to
provide diagnosis or treatment to a patient, to an ambulance attendant for
transferring or providing services to a patient, to a legal representative to
obtain legal advice, and to a patient’s third party payor or contractor.
Therefore, a definition that is focused on the conduct of a healthcare
provider, regardless of the nature of the context in which the disclosure
occurs, is more appropriate. Furthermore, “[b]ecause both statutes use the
term ‘[good faith]’ for a common purpose, it is proper to apply a common
definition to that term.” State v. Buhman, 181 Ariz. 52, 56 (App. 1994). We
thus conclude that a healthcare provider acts in good faith where it acts
under an honest belief, without malice or a design to defraud or to seek an
unconscionable advantage.
C. HIPAA
¶26 Costco also argues that Shepherd’s negligence claim fails as a
matter of law because HIPAA does not provide for a private right of action.
Therefore, it cannot support a negligence per se claim or be used to establish
the standard of care for negligence. Additionally, permitting a HIPAA
8
GREG SHEPHERD V. COSTCO WHOLESALE CORPORATION
Opinion of the Court
cause of action undermines the immunity afforded by § 12-2296. For the
following reasons, we disagree.
1. Private Right of Action
¶27 Costco is correct that HIPAA does not provide a private right
of action. Garmon v. Cnty. of Los Angeles, 828 F.3d 837, 847 (9th Cir. 2016)
(“HIPAA itself provides no private right of action.” (quoting Webb v. Smart
Document Sols., LLC, 499 F.3d 1078, 1081 (9th Cir. 2007))). No court has
held otherwise, and neither do we. But, as the court of appeals noted,
HIPAA does not preclude state law tort claims. Shepherd, 246 Ariz. at 478
¶ 33 (citing R.K. v. St. Mary’s Med. Ctr., Inc., 735 S.E.2d 715, 724 (W. Va. 2012)
(“[S]tate common-law claims for the wrongful disclosure of medical or
personal health information are not inconsistent with HIPAA. Rather . . .
such state-law claims compliment HIPAA by enhancing the penalties for its
violation and thereby encouraging HIPAA compliance.”)). Other
jurisdictions have reached the same conclusion, as well. Lawson v.
Halpern-Reiss, 212 A.3d 1213, 1217 ¶ 10 (Vt. 2019) (“HIPAA . . . does not
preempt causes of action arising under state common or statutory law
imposing liability for ‘health care providers’ breaches of patient
confidentiality.’” (quoting Byrne v. Avery Ctr. for Obstetrics & Gynecology,
P.C., 102 A.3d 32, 35, 45–48 (Conn. 2014))); Yath v. Fairview Clinics, N.P., 767
N.W.2d 34, 50 (Minn. Ct. App. 2009) (“Rather than creating an ‘obstacle’ to
HIPAA, Minnesota Statutes section 144.335 supports at least one of
HIPAA’s goals by establishing another disincentive to wrongfully disclose
a patient’s health care record.”); Sheldon v. Kettering Health Network, 40
N.E.3d 661, 672 (Ohio Ct. App. 2015) (concluding that a state common law
claim “enhances the protection of confidentiality of medical information”);
see also Standards for Privacy of Individually Identifiable Health
Information, 65 Fed. Reg. 82,462, 82,582 (Dec. 28, 2000) (characterizing a
private right of action as “a greater penalty” for purpose of comparing state
laws to HIPAA provisions and concluding that “the fact that a state law
allows an individual to file a lawsuit to protect privacy does not conflict
with the HIPAA penalty provisions”). While it is clear that HIPAA does
not provide for a private right of action, it is equally clear that it does not
prohibit a state law claim for negligent disclosure of medical information
and thus does not preclude Shepherd’s negligence claim.
9
GREG SHEPHERD V. COSTCO WHOLESALE CORPORATION
Opinion of the Court
2. Negligence Per Se
¶28 Costco argues that Shepherd solely relies on HIPAA for his
claim of negligence, which amounts to an impermissible negligence per se
claim. However, in addition to HIPAA, the complaint references
regulations governing pharmacies and Costco’s privacy policy. 3
¶29 With respect to its privacy policy, Costco asserts that it cannot
be used to establish the standard of care. While Costco is correct that a
company’s policies may not establish the standard of care, they may inform
it. Costco’s own citations prove the point. See Bryan v. S. Pac. Co., 79
Ariz. 253, 260 (1955) (stating “that ‘[w]hile a violation of [an employer’s
safety] rule would not constitute negligence per se, it would be a
circumstance for the jury to consider on the issue of respondent’s
negligence’” (quoting Powell v. Pac. Elec. Ry. Co., 216 P.2d 448, 453 (Cal.
1950))); Quijano v. United States, 325 F.3d 564, 568 (5th Cir. 2003) (concluding
that under Texas law, “a hospital’s internal policies and bylaws may be
evidence of the standard of care,” even though these rules alone cannot
establish it (emphasis added)); Wal-Mart Stores, Inc. v. Wittke, 202 So. 3d 929,
930–31 (Fla. Dist. Ct. App. 2016) (“Internal policies and procedures may be
admissible if they are relevant to the standard of care. . . .”); Bedell v.
Williams, 386 S.W.3d 493, 500 (Ark. 2012) (addressing whether an internal
policy can create a legal duty). 4 Shepherd’s reference to Costco’s company
policies thus provides an additional source to inform the standard of care
beyond the sole provisions of HIPAA, as does his reference to regulations
governing pharmacies. Lombardo v. Albu, 199 Ariz. 97, 100–01 ¶ 15 (2000)
(stating that “an administrative regulation may form the basis for a
standard of conduct even where it does not so provide” (citing Restatement
(Second) of Torts § 285 (Am. Law Inst. 1965)). Therefore, the argument
that Shepherd is relying solely on HIPAA to establish the standard of care
for his negligence claim is incorrect.
3 Costco has cited to Shepherd’s reference to negligence per se in his
appellate briefs. Our review, though, is limited to what we find in
Shepherd’s complaint.
4 Costco also cites to FFE Transp. Servs., Inc. v. Fulgham, 154 S.W.3d 84, 92–
93 (Tex. 2004), but that case simply concluded that a company’s policies
cannot establish the standard of care, which is not the same as informing it.
10
GREG SHEPHERD V. COSTCO WHOLESALE CORPORATION
Opinion of the Court
¶30 Consequently, Costco’s citation to Skinner v. Tel-Drug, Inc. for
the proposition that “‘permit[ting] HIPAA regulations to define per se the
duty and liability for breach is no less than a private action to enforce
HIPAA, which is precluded,’” is inapposite. No. CV-16-00235-TUC-JGZ
(BGM), 2017 WL 1076376, at *3 (D. Ariz. Jan. 27, 2017) (quoting Sheldon, 40
N.E.3d at 674)) Skinner specifically addressed dismissal of a negligence
per se claim and, as discussed above, we otherwise agree with Skinner’s
conclusion that HIPAA does not provide for a private right of action.
3. Standard of Care
¶31 To the extent Costco argues that any use of HIPAA to inform
the standard of care in a negligence claim is precluded, we disagree.
While some courts have concluded otherwise, we find the weight of
authority permitting the use of HIPAA to inform the standard of care
persuasive. See Placencia v. I-Flow Corp., No. CV10-2520 PHX DGC, 2012
WL 5877624, at *6 (D. Ariz. Nov. 20, 2012) (noting that “Arizona law permits
Plaintiffs to present evidence of federal law violations as part of proving
state-law tort claims” (citing Wendland v. AdobeAir, Inc., 223 Ariz. 199, 205
¶ 22 (App. 2009) (holding that OSHA standards could provide evidence of
the standard of care and collecting cases from other jurisdictions reaching
same result)); Fung-Schwartz v. Cerner Corp., No. 17-CV-233 (VSB), 2018 WL
4386087, at *8 (S.D.N.Y. Sept. 13, 2018) (finding that HIPAA can be used to
establish standard of care in a negligence claim); Byrne, 102 A.3d at 47
(noting that “several [courts] have determined that HIPAA may inform the
relevant standard of care”); Henry v. Cmty. Healthcare Sys. Cmty. Hosp., 134
N.E.3d 435, 438 (Ind. Ct. App. 2019) (finding “’HIPAA and its implementing
regulations may be utilized to inform the standard of care’” (quoting Byrne,
102 A.3d at 49)); Acosta v. Byrum, 638 S.E.2d 246, 251 (N.C. Ct. App. 2006)
(“Here, defendant has been placed on notice that plaintiff will use the
[hospital’s] rules and regulations . . . and HIPAA to establish the standard
of care. Therefore, plaintiff has sufficiently pled the standard of care in her
complaint.”); see also Restatement § 288B cmt. d (“[T]he requirements of
administrative regulations are not adopted by the court as defining a
definite standard of conduct in negligence actions, but are accepted as
affording relevant evidence.”); but see Sheldon, 40 N.E.3d at 672 (“[I]n our
view utilization of HIPAA as an ordinary negligence ‘standard of care’ is
tantamount to authorizing a prohibited private right of action for violation
of HIPAA itself.”); Young v. Carran, 289 S.W.3d 586, 588–89 (Ky. Ct. App.
2008) (declining to permit use of HIPAA in a state law negligence per se
11
GREG SHEPHERD V. COSTCO WHOLESALE CORPORATION
Opinion of the Court
claim). We conclude that Shepherd permissibly referenced HIPAA in his
complaint to inform the standard of care in his negligence claim. The trial
court thus erred in granting Costco’s motion to dismiss on this basis.
4. Immunity under § 12-2296
¶32 Costco further argues that permitting Shepherd to allege
negligence with reference to HIPAA undermines the immunity afforded
healthcare providers for good faith conduct under § 12-2296. We disagree.
Shepherd must still rebut by clear and convincing evidence the statutory
presumption that Costco acted in good faith. See § 12-2296. If he cannot,
Costco will be immune from liability for damages due to any negligent
disclosure of medical information.
III. Conclusion
¶33 Shepherd was not required to anticipate Costco’s affirmative
defense of qualified immunity under § 12-2296 in his complaint and allege
bad faith, let alone allege clear and convincing evidence to rebut the good
faith presumption. Shepherd also permissibly referenced HIPAA to
inform the standard of care for his negligence claim. Consequently, we
reverse the trial court’s order granting Costco’s motion to dismiss and
remand for proceedings consistent with this opinion. We vacate the court
of appeals opinion at ¶¶ 25–35 and the segment of ¶ 38 addressing
Shepherd’s negligence claim.
12